[nycphp-talk] system commands and backups
nyphp at enobrev.com
Tue Mar 4 20:05:43 EST 2003
Actaully, the security concerns you're mentioning is the primary reason
for my shout to the group. I really want to offer a good solution, but
it seems like it leaves a pretty wide hole open.
Anyone else know of ways to run special user privileged commands with
half the fat?
> -----Original Message-----
> From: George Webb [mailto:gw.nyphp at gwprogramming.com]
> Sent: Tuesday, March 04, 2003 7:50 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] system commands and backups
> > Is there a way to allow a php script to run
> > shell commands as an admin or specific user?
> Hi Mark. I have done this, but before anyone would want
> to do so, they should recognize the security risks involved.
> It may be a convenience versus security issue, wherein you
> may accidentally allow all of your web users (possibly
> everyone in the world?) to access anything that your user
> (or worse yet, your 'root' user) can.
> So I hope you already know all about that. Now,
> to answer your question, you may be able to set the "setuid"
> bit on your PHP CGI executable, together with changing the
> ownership of the executable itself. Then you can associate
> certain files or directories to use *this* PHP CGI handler
> instead of the default (apache module PHP, correct?).
> For example, if you want all files ending in '.uphp'
> to be executed by your special set-user PHP, you might do the
> following, which will allow *.php files to be executed
> normally, but *.uphp files will be executed by user 'marka'
> (or whatever):
> 1/ Add the following Apache .htaccess lines:
> Options +ExecCGI
> AddType cgi-script .cgi
> Action user-php /php.cgi
> AddHandler user-php .uphp
> 2/ Copy your PHP 4.3.1 or later CGI binary to
> your webserver root, and rename it as described above (php.cgi).
> 3/ Change the ownership as appropriate, and
> set the setuid bit:
> chown marka php.cgi
> chmod u+s php.cgi
> 4/ Sit back and wait to be hacked!
> One other nice thing is that this PHP parser can
> have its own php.ini file, which may be different from the
> one the rest of the webserver uses!
> Maybe some other better sysadmins can comment on
> how to make this setup more secure. Like these ideas:
> 1/ Run a separate httpd server on a special port
> using this special configuration.
> 2/ Restrict the special port using a firewall or
> ipchains or whathaveyou.
> 3/ chroot the filesystem for this special config,
> so that your whole machine won't get hacked.
> Another approach (which maybe I should have mentioned
> first) is to use 'sudo' to allow your 'nobody' user to do
> only certain special tasks.
> If your webserver is on a totally private network and
> you're not worried about system security, you can do a lot
> more. But if it's on the Internet, be aware!!!
> Best, George.
> George Webb
> gw.nyphp at gwprogramming.com
> --- Unsubscribe at http://nyphp.org/list/ ---
More information about the talk